Millions of SMS Text Messages Exposed In Unencrypted Database (techcrunch.com) 17
"A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, has been found online," reports TechCrunch. The database belongs to a company that works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world, according to the researchers.
TechCrunch writes: The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.
The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts... Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts...
One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.
TechCrunch writes: The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.
The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts... Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts...
One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.
Spam (Score:5, Insightful)
In other words: unsolicited spam.
Re: (Score:3)
So what we have now is a database full of spam. So all those who weren't fed up with spam when they got it themselves can now relive the experience and enjoy it again.
Re: (Score:2)
Or we can train our spam filters with it.
Having said that SMS spam has mostly gone away now, at least around here. The combination of a cost to send each message and the threat of GDPR fines generally means you only get messages you agreed to and it's easy to opt out again.
Digital social media natives at work (Score:4, Informative)
The story sound so terrible usual.
Some shady startup a digital customer relation enabler company was founded by a digital-technology innovator woman to watch [atxwoman.com]. Being digital technology enabled, they probably called themselves something more glorious than spammers but that's what they do.
They successfully sold their services to companies to lazy or stupid to do their own spamming, get wonderful press-accolades for being so digitally native.
Profit - at least for some.
Meanwhile back in the trenches, why change stuff that works? The code cobbled together in a weekend while the company has struggling to find their first customer still works fine, doesn't it? At least until someone manages to take a peek under the hood.
Re: (Score:1)
As far as I can tell the women you linked to has nothing to do with True Dialog. What is the link you found, or intended to imply?
Carrie Chitsey (Score:3)
Carrie Chitsey founded in 2008 the company TrueDialog, which is involved in this latest instance of security through naïvity and ignorance.
Re: (Score:2)
Ah right, found it now. She seems to have tried to disassociate herself from TrueDialog, the last mention I can see is from 2010 when there was some kind of spin-off she was involved in called 3 Seventy.
Is she involved with TrueDialog now? They don't list staff on their web site.
It's all very shady, as expected for spammers.
Re: (Score:2)
Re: (Score:2)
That's how you do startup. Slap together some code and then sell it to one of big social media giants for some ridiculous amount of money because they fear a new competitor and want to squash it. Whether your code is good doesn't really matter that much, by the time anything happens you're no longer responsible for it.
What I can't figure out, though, is what the woman in your link has to do with anything.
Another day another breach (Score:1)
Re: (Score:2)
It's not a matter of intelligence, it's a matter of money: selling SMS services generates revenues. Selling secure SMS services generates fewer revenues (because security costs money, while no security doesn't). They'll only implement security after they get exposed, because then they'll lose customers, hence money.
In short: follow the money. As long as companies execs aren't made penally accountable for at least trying to secure data properly, they'll have zero incentive to do so before it's too late.
Looking on the bright side (Score:2)
At least it wasn’t a MongoDB installation this time... those stories were getting repetitive.
Do you know what SMS are? (Score:2)
They never were encrypted, and never were expected to be encrypted either.
Sure there technically is an "encryption" between the phone and the base station. Which is so easy to circumvent, it means nothing. But what does it matter? That is like WhatsApp's encryption between your Google-controlled phone and Facebook's servers. --.--
Want security? Use Signal.